--- apiVersion: apps/v1 kind: Deployment metadata: name: '{{ ansible_operator_meta.name }}-web' namespace: '{{ ansible_operator_meta.namespace }}' labels: app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web' {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }} {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=4) | trim }} spec: {% if web_replicas != '' and web_manage_replicas | bool %} replicas: {{ web_replicas }} {% elif replicas != '' and web_manage_replicas | bool %} replicas: {{ replicas }} {% endif %} selector: matchLabels: app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web' app.kubernetes.io/managed-by: '{{ deployment_type }}-operator' app.kubernetes.io/component: '{{ deployment_type }}' template: metadata: labels: app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web' {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=8) | trim }} {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=8) | trim }} annotations: kubectl.kubernetes.io/default-container: '{{ ansible_operator_meta.name }}-web' {% for template in [ "configmaps/config.yaml", "secrets/app_credentials.yaml", "storage/persistent.yaml", ] %} checksum-{{ template | replace('/', '-') }}: "{{ lookup('template', template + '.j2') | sha1 }}" {% endfor %} {% if public_base_url is defined %} checksum-configmaps-redirect-page.configmap.html: "{{ lookup('template', 'configmaps/redirect-page.configmap.html.j2') | sha1 }}" {% endif %} {% for secret in [ "bundle_cacert", "route_tls", "ldap_cacert", "secret_key", "receptor_ca", "receptor_work_signing", ] %} checksum-secret-{{ secret }}: "{{ lookup('ansible.builtin.vars', secret, default='')["resources"][0]["data"] | default('') | sha1 }}" {% endfor %} {% if web_annotations %} {{ web_annotations | indent(width=8) }} {% elif annotations %} {{ annotations | indent(width=8) }} {% endif %} spec: {% if uwsgi_listen_queue_size is defined and uwsgi_listen_queue_size|int > 128 %} securityContext: sysctls: - name: net.core.somaxconn value: "{{ uwsgi_listen_queue_size }}" {% endif %} serviceAccountName: '{{ ansible_operator_meta.name }}' {% if image_pull_secret is defined %} imagePullSecrets: - name: {{ image_pull_secret }} {% elif image_pull_secrets | length > 0 %} imagePullSecrets: {% for secret in image_pull_secrets %} - name: {{ secret }} {% endfor %} {% endif %} {% if host_aliases is defined and host_aliases | length > 0 %} hostAliases: {% for item in host_aliases %} - ip: {{ item.ip }} hostnames: {% for hostname in item.hostnames %} - {{ hostname }} {% endfor %} {% endfor %} {% endif %} {% if control_plane_priority_class is defined %} priorityClassName: '{{ control_plane_priority_class }}' {% endif %} initContainers: {% if bundle_ca_crt %} - name: init-bundle-ca-trust image: '{{ _init_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} command: - /bin/sh - -c - | mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2} update-ca-trust extract volumeMounts: - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" - name: "{{ ansible_operator_meta.name }}-bundle-cacert" mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt subPath: bundle-ca.crt readOnly: true {% endif %} {% if init_container_extra_commands %} - name: init image: '{{ _init_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} command: - /bin/sh - -c - | {{ init_container_extra_commands | indent(width=14) }} volumeMounts: {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" {% endif %} {% if init_container_extra_volume_mounts -%} {{ init_container_extra_volume_mounts | indent(width=12, first=True) }} {% endif %} {% endif %} {% if projects_persistence|bool and is_k8s|bool %} - name: init-projects image: '{{ _init_projects_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} command: - /bin/sh - -c - | chmod 775 /var/lib/awx/projects chgrp 1000 /var/lib/awx/projects env: - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: "{{ ansible_operator_meta.name }}-projects" mountPath: "/var/lib/awx/projects" {% endif %} containers: - image: '{{ _redis_image }}' imagePullPolicy: '{{ image_pull_policy }}' name: redis {% if redis_capabilities is defined and redis_capabilities %} securityContext: capabilities: add: {{ redis_capabilities }} {% endif %} args: ["redis-server", "/etc/redis.conf"] volumeMounts: - name: {{ ansible_operator_meta.name }}-redis-config mountPath: "/etc/redis.conf" subPath: redis.conf readOnly: true - name: {{ ansible_operator_meta.name }}-redis-socket mountPath: "/var/run/redis" - name: "{{ ansible_operator_meta.name }}-redis-data" mountPath: "/data" resources: {{ redis_resource_requirements }} - image: '{{ _image }}' name: '{{ ansible_operator_meta.name }}-web' imagePullPolicy: '{{ image_pull_policy }}' {% if web_command %} command: {{ web_command }} {% endif %} {% if web_args %} args: {{ web_args }} {% endif %} ports: - containerPort: 8052 {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %} - containerPort: 8053 {% endif %} {% if web_liveness_period|int > 0 %} livenessProbe: exec: command: - sh - -c - | (exit $(/usr/bin/supervisorctl -c /etc/supervisord_task.conf status | grep -vc RUNNING)) initialDelaySeconds: {{ web_liveness_initial_delay }} periodSeconds: {{ web_liveness_period }} failureThreshold: {{ web_liveness_failure_threshold }} timeoutSeconds: {{ web_liveness_timeout }} {% endif %} {% if web_readiness_period|int > 0 %} readinessProbe: httpGet: path: /api/v2/ping/ scheme: HTTP port: 8052 initialDelaySeconds: {{ web_readiness_initial_delay }} periodSeconds: {{ web_readiness_period }} failureThreshold: {{ web_readiness_failure_threshold }} timeoutSeconds: {{ web_readiness_timeout }} {% endif %} volumeMounts: {% if public_base_url is defined %} - name: redirect-page mountPath: '/var/lib/awx/venv/awx/lib/python3.11/site-packages/awx/ui/build/index.html' subPath: redirect-page.html {% endif %} {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" {% endif %} - name: {{ ansible_operator_meta.name }}-uwsgi-config mountPath: "/etc/tower/uwsgi.ini" subPath: uwsgi.conf readOnly: true - name: "{{ ansible_operator_meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/execution_environments.py" subPath: execution_environments.py readOnly: true - name: "{{ ansible_operator_meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/credentials.py" subPath: credentials.py readOnly: true - name: "{{ ansible_operator_meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/ldap.py" subPath: ldap.py readOnly: true {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %} - name: "{{ ansible_operator_meta.name }}-nginx-certs" mountPath: "/etc/nginx/pki" readOnly: true {% endif %} {% if ldap_cacert_ca_crt %} - name: "{{ ansible_operator_meta.name }}-ldap-cacert" mountPath: /etc/openldap/certs/ldap-ca.crt subPath: ldap-ca.crt readOnly: true {% endif %} - name: "{{ secret_key_secret_name }}" mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true - name: {{ ansible_operator_meta.name }}-settings mountPath: /etc/tower/settings.py subPath: settings.py readOnly: true {{ lookup("template", "common/volume_mounts/extra_settings_files.yaml.j2") | indent(width=12) | trim }} - name: {{ ansible_operator_meta.name }}-nginx-conf mountPath: /etc/nginx/nginx.conf subPath: nginx.conf readOnly: true - name: {{ ansible_operator_meta.name }}-redis-socket mountPath: "/var/run/redis" - name: rsyslog-socket mountPath: "/var/run/awx-rsyslog" {% if projects_persistence|bool %} - name: "{{ ansible_operator_meta.name }}-projects" mountPath: "/var/lib/awx/projects" {% endif %} - name: "{{ ansible_operator_meta.name }}-receptor-ca" mountPath: "/etc/receptor/tls/ca/mesh-CA.crt" subPath: "tls.crt" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-ca" mountPath: "/etc/receptor/tls/ca/mesh-CA.key" subPath: "tls.key" readOnly: true - name: "{{ ansible_operator_meta.name }}-receptor-work-signing" mountPath: "/etc/receptor/work_public_key.pem" subPath: "work-public-key.pem" readOnly: true - name: {{ ansible_operator_meta.name }}-web-log mountPath: /var/log/tower {% if development_mode | bool %} - name: awx-devel mountPath: "/awx_devel" {% endif %} {% if web_extra_volume_mounts -%} {{ web_extra_volume_mounts | indent(width=12, first=True) }} {% endif %} env: - name: AWX_COMPONENT value: "web" - name: SUPERVISOR_CONFIG_PATH value: "/etc/supervisord_web.conf" - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: MY_POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: UWSGI_MOUNT_PATH value: "{{ ingress_path }}" {% if development_mode | bool %} - name: AWX_KUBE_DEVEL value: "1" {% endif %} {% if web_extra_env -%} {{ web_extra_env | indent(width=12, first=True) }} {% endif %} resources: {{ web_resource_requirements }} - image: '{{ _image }}' name: '{{ ansible_operator_meta.name }}-rsyslog' {% if rsyslog_command %} command: {{ rsyslog_command }} {% endif %} {% if rsyslog_args %} args: {{ rsyslog_args }} {% endif %} imagePullPolicy: '{{ image_pull_policy }}' volumeMounts: - name: "{{ ansible_operator_meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/credentials.py" subPath: credentials.py readOnly: true - name: "{{ secret_key_secret_name }}" mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true - name: {{ ansible_operator_meta.name }}-settings mountPath: "/etc/tower/settings.py" subPath: settings.py readOnly: true {{ lookup("template", "common/volume_mounts/extra_settings_files.yaml.j2") | indent(width=12) | trim }} - name: {{ ansible_operator_meta.name }}-redis-socket mountPath: "/var/run/redis" - name: rsyslog-socket mountPath: "/var/run/awx-rsyslog" {% if bundle_ca_crt %} - name: "ca-trust-extracted" mountPath: "/etc/pki/ca-trust/extracted" {% endif %} {% if development_mode | bool %} - name: awx-devel mountPath: "/awx_devel" {% endif %} {% if rsyslog_extra_volume_mounts -%} {{ rsyslog_extra_volume_mounts | indent(width=12, first=True) }} {% endif %} env: - name: SUPERVISOR_CONFIG_PATH value: "/etc/supervisord_rsyslog.conf" {% if development_mode | bool %} - name: AWX_KUBE_DEVEL value: "1" {% endif %} {% if rsyslog_extra_env -%} {{ rsyslog_extra_env | indent(width=12, first=True) }} {% endif %} resources: {{ rsyslog_resource_requirements }} {% if web_node_selector %} nodeSelector: {{ web_node_selector | indent(width=8) }} {% elif node_selector %} nodeSelector: {{ node_selector | indent(width=8) }} {% endif %} {% if web_topology_spread_constraints %} topologySpreadConstraints: {{ web_topology_spread_constraints | indent(width=8) }} {% elif topology_spread_constraints %} topologySpreadConstraints: {{ topology_spread_constraints | indent(width=8) }} {% endif %} {% if web_tolerations %} tolerations: {{ web_tolerations| indent(width=8) }} {% elif tolerations %} tolerations: {{ tolerations| indent(width=8) }} {% endif %} {% if web_affinity %} affinity: {{ web_affinity | to_nice_yaml | indent(width=8) }} {% elif affinity %} affinity: {{ affinity | to_nice_yaml | indent(width=8) }} {% endif %} {% if security_context_settings|length %} securityContext: {{ security_context_settings | to_nice_yaml | indent(8) }} {% endif %} volumes: {% if public_base_url is defined %} - name: redirect-page configMap: name: '{{ ansible_operator_meta.name }}-redirect-page' items: - key: redirect-page.html path: redirect-page.html {% endif %} - name: "{{ ansible_operator_meta.name }}-receptor-ca" secret: secretName: "{{ ansible_operator_meta.name }}-receptor-ca" - name: "{{ ansible_operator_meta.name }}-receptor-work-signing" secret: secretName: "{{ ansible_operator_meta.name }}-receptor-work-signing" {% if bundle_ca_crt %} - name: "ca-trust-extracted" emptyDir: {} - name: "{{ ansible_operator_meta.name }}-bundle-cacert" secret: secretName: "{{ bundle_cacert_secret }}" items: - key: bundle-ca.crt path: 'bundle-ca.crt' {% endif %} {% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %} - name: "{{ ansible_operator_meta.name }}-nginx-certs" secret: secretName: "{{ route_tls_secret }}" items: - key: tls.key path: 'web.key' - key: tls.crt path: 'web.crt' {% endif %} {% if ldap_cacert_ca_crt %} - name: "{{ ansible_operator_meta.name }}-ldap-cacert" secret: secretName: "{{ ldap_cacert_secret }}" items: - key: ldap-ca.crt path: 'ldap-ca.crt' {% endif %} - name: "{{ ansible_operator_meta.name }}-application-credentials" secret: secretName: "{{ ansible_operator_meta.name }}-app-credentials" items: - key: credentials.py path: 'credentials.py' - key: ldap.py path: 'ldap.py' - key: execution_environments.py path: 'execution_environments.py' - name: "{{ secret_key_secret_name }}" secret: secretName: '{{ secret_key_secret_name }}' items: - key: secret_key path: SECRET_KEY - name: {{ ansible_operator_meta.name }}-settings configMap: name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap' items: - key: settings path: settings.py - name: {{ ansible_operator_meta.name }}-nginx-conf configMap: name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap' items: - key: nginx_conf path: nginx.conf - name: {{ ansible_operator_meta.name }}-redis-config configMap: name: {{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap items: - key: redis_conf path: redis.conf {{ lookup("template", "common/volumes/extra_settings_files.yaml.j2") | indent(width=8) | trim }} - name: {{ ansible_operator_meta.name }}-uwsgi-config configMap: name: {{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap items: - key: uwsgi_conf path: uwsgi.conf - name: {{ ansible_operator_meta.name }}-redis-socket emptyDir: {} - name: {{ ansible_operator_meta.name }}-redis-data emptyDir: {} - name: rsyslog-socket emptyDir: {} - name: receptor-socket emptyDir: {} - name: {{ ansible_operator_meta.name }}-web-log emptyDir: {} - name: {{ ansible_operator_meta.name }}-receptor-config configMap: name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap' items: - key: receptor_conf path: receptor.conf {% if projects_persistence|bool %} - name: "{{ ansible_operator_meta.name }}-projects" persistentVolumeClaim: {% if projects_existing_claim %} claimName: {{ projects_existing_claim }} {% else %} claimName: '{{ ansible_operator_meta.name }}-projects-claim' {% endif %} {% endif %} {% if development_mode | bool %} - name: awx-devel hostPath: path: /awx_devel {% endif %} {% if extra_volumes -%} {{ extra_volumes | indent(width=8, first=True) }} {% endif %}